FAILURE during secondary validation again!

I had this error last renewal as well, not sure what's involved, but the DNS provider is timing out or not returning a valid response to cert-bot? Is godaddy's DNS rate limiting cert-bot?

Is anyone else having this issue?

My domain is:

All OK! No issues were found with

DNS problem: query timed out looking up A for”,”status”:400}

dig A

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30525
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
; IN A


;; Query time: 80 msec
;; WHEN: Sun Oct 04 03:51:21 EDT 2020
;; MSG SIZE rcvd: 75

PHP Fatal error: Uncaught AcmePhp\Core\Exception\Protocol\ChallengeFailedException: Challenge failed (response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: Fetching No valid IP addresses found for","status":400},"url":"","token":"Up4TTYgKdq029IEShx6tW0-NuNSaoW9BQ9tljHvo_wU","validationRecord":[{"url":"","hostname":"","port":"80","addressesResolved":[""],"addressUsed":""},{"url":"","hostname":"","port":"443","addressesResol in phar:///usr/local/bin/ee/vendor/acmephp/core/AcmeClient.php on line 195

This was the last thread, which I couldn't re-open: During secondary validation: DNS problem: query timed out looking up A for","status":400}

Is the solution to leave godaddy DNS to improve the DNS lookup efficiency?

1 Like

There's a more recent thread about these here: During secondary validation: No valid IP addresses found

The error you posted occurred at exactly 1AM UTC. Does the problem persistent for you if you pick a more random time?


I get the same error if I manually run the command at random times, even now.
For good measure, I am going to change the cron time to something more random.
This error happens regularly, trying to renew now for 2+ days.

1 Like

Okay, thanks. An engineer got tagged in the other thread, so maybe check for updates there in 2-3 days from now.

1 Like

Ran it manually again now, and it was successful.
I have not made any changes, so the DNS timeout upon lookup of the secondary is preventing the SSL from being renewed. Maybe cert-bot can be adjusted in a manner in which a secondary lookup provides a soft warning instead of a failure?

1 Like

These types of errors (urn:ietf:params:acme:error:dns) are returned by the Let's Encrypt CA per decisions made on high, so certbot is absolutely powerless to do anything.

1 Like

Poor cert-bot. :frowning: But in all seriousness, the IP was discovered correctly by the primary lookup, the secondary look-up timing out or barfing, shouldn't be a catastrophic failure, no?

1 Like

I'm going to save you a whole lot of headache... :slightly_smiling_face:

Honestly, I'm not really sure of the rationale.

Thank you - much obliged... random time for the win...

1 Like

We aim to please. :slightly_smiling_face:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.